内联脚本，因为它违反了以下内容安全策略指令：“script-src 'self'”

Question

我使用react-create-app来构建我的 chrome 扩展。 当我使用npm run build时出现错误：

拒绝执行内联脚本，因为它违反了以下内容安全策略指令：“script-src 'self'”。 启用内联执行需要“unsafe-inline”关键字、hash（“sha256-5=”）或随机数（“nonce-...”）。

索引错误index.html

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8" />
    <link rel="shortcut icon" href="%PUBLIC_URL%/favicon.ico" />
    <meta name="viewport" content="width=device-width, initial-scale=1" />
    <meta name="theme-color" content="#000000" />
    <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css" />
    <link
      rel="stylesheet"
      href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css"
      integrity="sha384-BVYiiSIFeK1dGmJRAkycuHAHRg32OmUcww7on3RYdg4Va+PmSTsz/K68vbdEjh4u"
      crossorigin="anonymous"
    />
    <!--
      manifest.json provides metadata used when your web app is installed on a
      user's mobile device or desktop. See https://developers.google.com/web/fundamentals/web-app-manifest/
    -->
    <link rel="manifest" href="%PUBLIC_URL%/manifest.json" />
    <!--
      Notice the use of %PUBLIC_URL% in the tags above.
      It will be replaced with the URL of the `public` folder during the build.
      Only files inside the `public` folder can be referenced from the HTML.

      Unlike "/favicon.ico" or "favicon.ico", "%PUBLIC_URL%/favicon.ico" will
      work correctly both with client-side routing and a non-root public URL.
      Learn how to configure a non-root public URL by running `npm run build`.
    -->
    <title>React App</title>
  </head>
  <body>
    <noscript>You need to enable JavaScript to run this app.</noscript>
    <div id="root"></div>
    <!--
      This HTML file is a template.
      If you open it directly in the browser, you will see an empty page.

      You can add webfonts, meta tags, or analytics to this file.
      The build step will place the bundled scripts into the <body> tag.

      To begin the development, run `npm start` or `yarn start`.
      To create a production bundle, use `npm run build` or `yarn build`.
    -->
  </body>
</html>

manifest.json

{
  "manifest_version": 2,
  "name": "IC Project chrome extension",
  "description": "This extension is a starting point to create a real Chrome extension",
  "version": "0.0.1",
  "browser_action": {
    "default_popup": "index.html",
    "default_title": "Open the popup"
  },
  "icons": {
    "16": "assets/icon-128.png",
    "48": "assets/icon-128.png",
    "128": "assets/icon-128.png"
  },
  "content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'"
}

Answer 1

经过几个小时的沮丧后，我找到了一个可行的解决方案。 Mac 和 PC 在运行脚本方面存在差异。 我发现的很多答案都与“集合”内联而没有。 有“&&”和没有......都没有为我工作。

TLDR：像这样使用“跨环境”npm package：

cross-env INLINE_RUNTIME_CHUNK=false react-scripts build

这适用于 PC，也可能适用于 Mac。 当然你需要在npm install --save-dev cross-env之前安装它。

Answer 2

在package.json中，将"build"脚本更新为：

"build": "INLINE_RUNTIME_CHUNK=false react-scripts build"

Answer 3

对于那些仍然INLINE_RUNTIME_CHUNK not recognized as a command的问题，您需要将set添加到构建脚本中。

"build": "set INLINE_RUNTIME_CHUNK=false&&react-scripts build"

这样， INLINE_RUNTIME_CHUNK值将在构建时设置，而不是在环境变量中查找。

Answer 4

在package.json中，将“构建”脚本更新为：

"build": "INLINE_RUNTIME_CHUNK=false && react-scripts build"

或者改用这个样板。